Back to skill
Skillv1.0.0
VirusTotal security
AI Market Intelligence Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- b8a6ba01fb34219c177dbd3883f58e976a6451d6cb3e06355aa193e0caa17bcf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: market-intelligence Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `main.sh`. User-controlled arguments (`$KEYWORD`, `$PLATFORM`, `$PERIOD`) are directly embedded into a heredoc (`cat > "$output_file" << EOF`) without quoting the `EOF` marker, allowing command substitution (`$(command)`) to be executed by the shell. This constitutes a Remote Code Execution (RCE) risk if an attacker can control these inputs. Additionally, the direct embedding of these variables into the Markdown report allows for Markdown injection. There is no evidence of intentional malicious behavior like data exfiltration or backdoors, classifying it as a severe vulnerability rather than outright malware.
- External report
- View on VirusTotal